[Bug 1655510] [NEW] CVE-2016-9190 Remote code execution through crafted file in pillow < 3.3.2

Wicher Minnaard wicher at gavagai.eu
Wed Jan 11 01:03:56 UTC 2017 

Public bug reported:

See https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9190 for
details.

I could not find signs of any backport of a fix in the changelog, currently at 3.1.2-0ubuntu1:
https://launchpad.net/ubuntu/xenial/+source/pillow/+changelog

This particular vuln is fixed in pillow 3.3.2, however, there is a bunch
of other CVEs filed against pillow < 3.4.x, see the bottom of this
report.

IIUC there are two strategies available for creating an update through
the security releases channel: 1) backporting the specific fixes, or 2)
simply bumping the package to a version in which these vulnerabilities
are fixed.

For strategy 2 (probably the cheapest one in terms of effort), I had a
look at the Pillow changelog to see whether there are any backwards
incompatible API changes which would prevent a simple bump. It appears
there are:

Backwards incompatible API changes:
https://pillow.readthedocs.io/en/latest/releasenotes/3.3.0.html#image-metadata
https://pillow.readthedocs.io/en/latest/releasenotes/3.4.0.html#image-core-open-ppm-removed

The latter might not be much of an issue, but the first one may break
software that's counting on the pre-3.3.0 behaviour. Hope this helps!


CVE list (per the Gentoo Linux security advisory): https://archives.gentoo.org/gentoo-announce/message/23306519cb5f9b1a2e438b0797368308

** Affects: pillow (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to pillow in Ubuntu.
https://bugs.launchpad.net/bugs/1655510

Title:
  CVE-2016-9190 Remote code execution through crafted file in pillow <
  3.3.2

Status in pillow package in Ubuntu:
  New

Bug description:
  See https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9190 for
  details.

  I could not find signs of any backport of a fix in the changelog, currently at 3.1.2-0ubuntu1:
  https://launchpad.net/ubuntu/xenial/+source/pillow/+changelog

  This particular vuln is fixed in pillow 3.3.2, however, there is a
  bunch of other CVEs filed against pillow < 3.4.x, see the bottom of
  this report.

  IIUC there are two strategies available for creating an update through
  the security releases channel: 1) backporting the specific fixes, or
  2) simply bumping the package to a version in which these
  vulnerabilities are fixed.

  For strategy 2 (probably the cheapest one in terms of effort), I had a
  look at the Pillow changelog to see whether there are any backwards
  incompatible API changes which would prevent a simple bump. It appears
  there are:

  Backwards incompatible API changes:
  https://pillow.readthedocs.io/en/latest/releasenotes/3.3.0.html#image-metadata
  https://pillow.readthedocs.io/en/latest/releasenotes/3.4.0.html#image-core-open-ppm-removed

  The latter might not be much of an issue, but the first one may break
  software that's counting on the pre-3.3.0 behaviour. Hope this helps!

  
  CVE list (per the Gentoo Linux security advisory): https://archives.gentoo.org/gentoo-announce/message/23306519cb5f9b1a2e438b0797368308

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pillow/+bug/1655510/+subscriptions

More information about the foundations-bugs mailing list